It’s been another insightful week in cybersecurity and data breaches.
Law firm DLA Piper has discovered that since GDPR was implemented in May 2018 there were an average of 247 data breach notifications per day in the first eight months. And, since that point there have been an average of 278 notifications per day. As per ZDNet, over 160,000 data breach notifications have been made to GDPR governing authorities in the year and a half since GDPR came into play.
Ross McKean, partner at DLA Piper specialising in cyber and data protection says:
“GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12 per cent compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organisations.”
Fines resulting from GDPR compliance issues and data breaches are calculated to date at £97 million.
Action against sellers of information obtained from data breaches
The FBI, in collaboration with the UK’s National Crime Agency (NCA) and others, has taken down a website that sells access to stolen data. The FBI seized the domain WeLeakInfo[.]com after being granted a warrant by the District of Columbia, US. The website’s managers have not been apprehended.
As per Infosecurity Magazine, the website said it was for users who wanted to check if their information had been compromised but it provided a “useful resource” for cybercriminals looking to use breached data in phishing, social engineering, and other such attacks.
A Department of Justice statement said:
“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.”
And, says the statement, “The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period.”
The FBI is reportedly seeking any information on the website’s owners or administrators.
Mitsubishi Electric have disclosed a major breach that occurred last year.
The company has published a statement on its website revealing a breach that happened on June 28, 2019, and that has been subject to an internal investigation.
Mitsubishi Electric, based in Tokyo, have reportedly revealed the breach after stories were published in two local newspapers. The publication’s blame a group of cyber-spies linked to China.
In the breach, hackers may have stolen sensitive data from the company’s internal network. Mitsubishi agree that data was stolen but have denied that the information concerned its business partners and defence contracts.
The company is one of Japan’s largest defence and infrastructure companies and the breach is being treated with “utmost severity,” as per ZDNet.
Regus employee data exposed
The BBC reports that job performance details for over 900 employees at office-space provider Regus have been published online by accident. A staff performance review included workers being recorded showing researchers posing as clients around office space that was up for rent.
Information was then published on collaborative work platform Trello and a spreadsheet of staff names, addresses, and job performance information, was discovered by the Telegraph via Google.
The names and addresses of hundreds of researchers contracted by Regus parent company IWG were also breached. IWG says, “team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles.” The company adds:
“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise. As our primary concern we took immediate action and the external provider has now removed the content.”
John Kyrle High School and Sixth Form Centre, Ross-on-Wye, UK
The Hereford Times reports that West Mercia Police are investigating a cyber attack that has erased personal documents from computer systems at the Herefordshire secondary school.
Headteacher Nigel Griffiths believes the data has been deleted rather than stolen or shared and explained:
“We were unable to access servers within the school which are used to store lots of different types of personal data about staff and pupils.”
The breached data could include student records, exam data, special needs, and safeguarding information. Griffiths adds:
“The security issue which has arisen, further to initial investigations, is the system has been accessed without authorisation. Encryption has been applied which is currently preventing us from being able to access the server.”
The well-rated 800 pupil school has experienced “considerable disruption,” from the attack and breach, and the headteacher says:
“It is clear that this security incident is criminal in nature and investigations are already underway to identify the perpetrator and minimise any ongoing risk.”
The UK Information Commissioner’s Office has reportedly been informed, as well as examination boards, Ofsted, and Herefordshire Council.
Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.
Subscribe to the Proofpoint Blog